be5b0e07b1178ae4829b77d586e6c573fd55b575bc2a7f92bbcf6c592ccf9a01

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

632344228e6ac91dc5eff3d70b58e32b.exe
Size

208KB
MD5

632344228e6ac91dc5eff3d70b58e32b
SHA1

81ccdf56795384faff1dfc82e2902e121ffba801
SHA256

be5b0e07b1178ae4829b77d586e6c573fd55b575bc2a7f92bbcf6c592ccf9a01
SHA512

9ce6e5e53823d6c79d46587564abe9b8854a691eb39824dcdbb9a796e27224f85014b4097731f97fd23d82cffbd324e8184492758b1b1c09f74f3eaca9d5858f
SSDEEP

3072:al7B6FtS4n/fDfUmeyCv1cZ+XuEwcooCmkd/Tzjonu5JiXbNbccK4ZpH:al7unnX+Re+bFEmETzsGJieUH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2724	u.dll
2708	mpress.exe
2576	u.dll
2924	mpress.exe

Loads dropped DLL 8 IoCs

pid	Process
2256	cmd.exe
2256	cmd.exe
2724	u.dll
2724	u.dll
2256	cmd.exe
2256	cmd.exe
2576	u.dll
2576	u.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2256	2368	632344228e6ac91dc5eff3d70b58e32b.exe	29
PID 2368 wrote to memory of 2256	2368	632344228e6ac91dc5eff3d70b58e32b.exe	29
PID 2368 wrote to memory of 2256	2368	632344228e6ac91dc5eff3d70b58e32b.exe	29
PID 2368 wrote to memory of 2256	2368	632344228e6ac91dc5eff3d70b58e32b.exe	29
PID 2256 wrote to memory of 2724	2256	cmd.exe	30
PID 2256 wrote to memory of 2724	2256	cmd.exe	30
PID 2256 wrote to memory of 2724	2256	cmd.exe	30
PID 2256 wrote to memory of 2724	2256	cmd.exe	30
PID 2724 wrote to memory of 2708	2724	u.dll	31
PID 2724 wrote to memory of 2708	2724	u.dll	31
PID 2724 wrote to memory of 2708	2724	u.dll	31
PID 2724 wrote to memory of 2708	2724	u.dll	31
PID 2256 wrote to memory of 2576	2256	cmd.exe	33
PID 2256 wrote to memory of 2576	2256	cmd.exe	33
PID 2256 wrote to memory of 2576	2256	cmd.exe	33
PID 2256 wrote to memory of 2576	2256	cmd.exe	33
PID 2576 wrote to memory of 2924	2576	u.dll	32
PID 2576 wrote to memory of 2924	2576	u.dll	32
PID 2576 wrote to memory of 2924	2576	u.dll	32
PID 2576 wrote to memory of 2924	2576	u.dll	32
PID 2256 wrote to memory of 564	2256	cmd.exe	34
PID 2256 wrote to memory of 564	2256	cmd.exe	34
PID 2256 wrote to memory of 564	2256	cmd.exe	34
PID 2256 wrote to memory of 564	2256	cmd.exe	34
PID 2256 wrote to memory of 672	2256	cmd.exe	35
PID 2256 wrote to memory of 672	2256	cmd.exe	35
PID 2256 wrote to memory of 672	2256	cmd.exe	35
PID 2256 wrote to memory of 672	2256	cmd.exe	35
PID 2256 wrote to memory of 796	2256	cmd.exe	56
PID 2256 wrote to memory of 796	2256	cmd.exe	56
PID 2256 wrote to memory of 796	2256	cmd.exe	56
PID 2256 wrote to memory of 796	2256	cmd.exe	56
PID 2256 wrote to memory of 608	2256	cmd.exe	36
PID 2256 wrote to memory of 608	2256	cmd.exe	36
PID 2256 wrote to memory of 608	2256	cmd.exe	36
PID 2256 wrote to memory of 608	2256	cmd.exe	36
PID 2256 wrote to memory of 1044	2256	cmd.exe	55
PID 2256 wrote to memory of 1044	2256	cmd.exe	55
PID 2256 wrote to memory of 1044	2256	cmd.exe	55
PID 2256 wrote to memory of 1044	2256	cmd.exe	55
PID 2256 wrote to memory of 3024	2256	cmd.exe	37
PID 2256 wrote to memory of 3024	2256	cmd.exe	37
PID 2256 wrote to memory of 3024	2256	cmd.exe	37
PID 2256 wrote to memory of 3024	2256	cmd.exe	37
PID 2256 wrote to memory of 3040	2256	cmd.exe	38
PID 2256 wrote to memory of 3040	2256	cmd.exe	38
PID 2256 wrote to memory of 3040	2256	cmd.exe	38
PID 2256 wrote to memory of 3040	2256	cmd.exe	38
PID 2256 wrote to memory of 3016	2256	cmd.exe	54
PID 2256 wrote to memory of 3016	2256	cmd.exe	54
PID 2256 wrote to memory of 3016	2256	cmd.exe	54
PID 2256 wrote to memory of 3016	2256	cmd.exe	54
PID 2256 wrote to memory of 592	2256	cmd.exe	39
PID 2256 wrote to memory of 592	2256	cmd.exe	39
PID 2256 wrote to memory of 592	2256	cmd.exe	39
PID 2256 wrote to memory of 592	2256	cmd.exe	39
PID 2256 wrote to memory of 940	2256	cmd.exe	40
PID 2256 wrote to memory of 940	2256	cmd.exe	40
PID 2256 wrote to memory of 940	2256	cmd.exe	40
PID 2256 wrote to memory of 940	2256	cmd.exe	40
PID 2256 wrote to memory of 2344	2256	cmd.exe	53
PID 2256 wrote to memory of 2344	2256	cmd.exe	53
PID 2256 wrote to memory of 2344	2256	cmd.exe	53
PID 2256 wrote to memory of 2344	2256	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\632344228e6ac91dc5eff3d70b58e32b.exe
"C:\Users\Admin\AppData\Local\Temp\632344228e6ac91dc5eff3d70b58e32b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\45D6.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 632344228e6ac91dc5eff3d70b58e32b.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\479B.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\479B.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe479C.tmp"
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:672
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:608
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:592
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:940
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:796

C:\Users\Admin\AppData\Local\Temp\4AB6.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4AB6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4AB7.tmp"
1⤵
- Executes dropped EXE
PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45D6.tmp\vir.bat

Filesize
1KB

MD5
6ba9f5cbb02ea75d9e1b936f463b1ad1

SHA1
85055134cf8a8a82d646ec776dd101b30c2f6365

SHA256
60d651f11bef491756532a3e02c16691b88b03d22cbe013c1fb88c112bde34cd

SHA512
252bc8de44e220a39e3cccba9073539985e3fdeaea1cd84a7f39156e78884ac86a8d70cf442849d0757296c2d4690bd528b4993e4c7a16b95843457f49b2e3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe479C.tmp

Filesize
41KB

MD5
dccc902dc69f9012016bfbeebaec2ab4

SHA1
9bb1965864382c768f42709d65999e8ab14af8b5

SHA256
6ef2e241ab78f7ed0389775aed3e394233a49f32634c9bb293e663e1ee381e37

SHA512
7b5ca3fe7b496a6b9b506ea477b72342c2d673278e9e7a1e73a257bf1847e926a866ff624995aee24ec9e871882b34bd2cdf5181a47ec047faa57bb7fe4c3086

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe479C.tmp

Filesize
24KB

MD5
75c613a066f65857be61e90d4ea44435

SHA1
825db98cf1f56a88a3d2407f6b20ff8521a142a6

SHA256
2928b10cb3bd918ff461785fb55a8ae8b6fd3f281e03986b3a2d77ad798ebb4d

SHA512
292fd978eb0e6d1e809879396299401a8f41cc2f2a3ed2004c66c573e4b280baf333be8e5510dd46a8f7c837c641d9fbae108b7c1b2c4758ba16bd7b7e8671cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4AB7.tmp

Filesize
41KB

MD5
113b605107d450f5224e1e0913267fab

SHA1
3aab433a1005c8841b8788a32bf189dd25d3d5b8

SHA256
82db610505448f436fcc2f89178c925ea930692febed87e16605fb1008d3db35

SHA512
d8c05077abba43e8dc49d8d2b98e3199edb21b01846bfd7f74630adbefa86cfdc8f091d013327a168b25d54a8af0dfe77deb97f3e75a4415f095f45c00924faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4AB7.tmp

Filesize
24KB

MD5
ffb70bba0f58b4fffb26938e70b44ac1

SHA1
dafd8d4906c452061b46764f5db70a3714f13e26

SHA256
7cf8fa90ff8d85e586b2230a9e0b0b273f2264ec48c115c4beb1d961e2cbde29

SHA512
0207be543cc2691f977f6e560dd20a24de0648ad2887a2ef7f619e6ff4692b38b302a4f30df1362afc1d4943b592c300aac900ad94459a30af57018dc0c74e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
5eebc5137f7474ad3d1036a2fc92dd9b

SHA1
55adc9d05feae8b8866b4d3d9f47771b38c929ec

SHA256
0af0b0f54b7bf4e2bc934ff5122a4541df938d2c2865a9aca17d1e03f007d2da

SHA512
ae3709f5a675f318503de49045f4312169318b7e066ce1f0b78955235c2ecb62f242cdb4012527b2346be8c9a57056ebd13fcba810aeac6cf82f1b4464383483

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
6b7f64dce4af17b5e1fcd8ef69ed54d7

SHA1
3bc7b1e6d8663fbd9a28cfcf29a527c49b4ae740

SHA256
3778dab1490e77a15264262f21d24efa158be6c0eefc547978b11ae3f9930b59

SHA512
12e8030b299f30d42eac408939db4f16551f6deaf1b14f93d214789b8ae2e1d637fa598f263b19bfc1667aff5c0848ebec4bd0845c33ec5f3493af87137ad73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
cc21bfb6f9e0398ab1fa203372f268a4

SHA1
57146970722893c1d5daf62aa06e9cbbc92178aa

SHA256
1c028071d32a9462982cdd8264ddc5c7a0f61e78b2570d3ea7ce0109d00b36f2

SHA512
d6bedbfdff3c7eb45bfaa75aa46dd86095fabb87fc48758d0378bf24cf640564c9f0b2a3e478fa02738d61e44dc3ed25056e599eb0ed9242941d61c1b5e74547

Download Submit
\Users\Admin\AppData\Local\Temp\479B.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
655KB

MD5
c8a8943acc6b3598dd9c1fce00db45e7

SHA1
d80e9dae45c53d130724ecf2cff2ec7126c36ecf

SHA256
4417169f9c9fb5e708589c9d0fd9927892a25e1949507836b231c4f5b6fc4619

SHA512
9890fb3d792b9c147d59d6b2944a776b2f0d6552a27c96d7cf8777b8bfb7647a76f326dcacc6aaa30381b71a25b434c6215520bfea6d4e140aca62a5a1b50eaf

Download Submit
memory/2368-161-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2368-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2576-142-0x0000000001DA0000-0x0000000001DD4000-memory.dmp

Filesize
208KB

Download
memory/2576-144-0x0000000001DA0000-0x0000000001DD4000-memory.dmp

Filesize
208KB

Download
memory/2708-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-68-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2724-69-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2924-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads